Faux WP-Admin: A non-WordPress Honeypot!

May 4, 2013 - By

These are interesting times for WordPress. Being the most widely used CMS on the planet has one major drawback: you’re the biggest target. In the past few weeks some nefarious dorks (*pauses to go check site’s usernames before publishing*) have been trying to brute force WordPress installations. Lame.

I actually have a wee scheme that could help make this work harder for the robots that run amok trying to do this dirty work!

Introducing Faux WP-Admin!

This is a pretty simple idea, basically make crawlers think your website is WordPress even when it’s not! Check out the demo page, or download it here (or go make your own in about 5 min).

faux admin

I’m calling it the first WordPress plugin exclusively for non-WordPress sites. Note the URL: not WordPress. Obviously it needs to be in /wp-admin as index.php and wp-login.php

What you’re seeing isn’t a real WordPress login screen. It’s a localized copy that isn’t a part of a WordPress installation. It’s a static page. Robots have a blast trying to login for hours! I could probably make the error part handle better, but this is the first draft.

I just love the idea of building websites to call assets from the same paths as WordPress would: domain.com/wp-content/themes/twentythirteen/images/whatever.jpg. You could construct almost any site in such a way as to appear to be an installation of WP. There aren’t any great advantages to you, but you would be helping a massive community by giving a bit more fun obscurity!

A statistic from the embarrassingly old article linked (I found a more recent post elsewhere, but it had a full page ad to skip, and it was a paginated article. I respect your time too much to link to that) at the top of this post says WordPress makes up roughly 14  – 17% of the top million sites. What if 100% of the sites had the /wp-admin login that bots are looking for?!

How good is this? My Chrome tries to auto complete the username and password. That’s one good robot fooled!


This week I’m starting the first non-WordPress site I’ve done in over six month. It’s using an enterprise level CMS. I somehow doubt they’ll let me get away with this, but we’ll see 😉

Now that I’ve put this online and made myself a target of robo-bitterness, excuse me while I add ALL of the security plugins.

Categorized in:

This post was written by ArleyM